marcsaeg 01/04/06 18:07:19 Modified: src/share/org/apache/tomcat/core Tag: tomcat_32 Context.java src/share/org/apache/tomcat/util Tag: tomcat_32 URLUtil.java Log: Fixes a security hole caused by URLs being decoded twice. The second decoding is happening when an InputStream is opened on a file: URL. The security problem does not appear when using JDK1.2.2. Revision Changes Path No revision No revision 1.100.2.6 +8 -2 jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java Index: Context.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v retrieving revision 1.100.2.5 retrieving revision 1.100.2.6 diff -u -r1.100.2.5 -r1.100.2.6 --- Context.java 2001/03/16 23:43:53 1.100.2.5 +++ Context.java 2001/04/07 01:07:18 1.100.2.6 @@ -168,6 +168,8 @@ String vhost=null; Vector vhostAliases=new Vector(); FacadeManager facadeM; + + private boolean fileURLBug = URLUtil.hasFileURLBug(); // Saves a synchronized method call for each request public Context() { defaultContainer=new Container(); @@ -767,9 +769,13 @@ } try { - url=new URL("file", null, 0,realPath ); + if(!fileURLBug){ + realPath = URLEncoder.encode(realPath); + } + System.out.println("Context.getResource: realPath = " + realPath); + url=new URL("file", null, 0,realPath ); if( debug>9) log( "getResourceURL=" + url + " request=" + rpath ); - return url; + return url; } catch( IOException ex ) { ex.printStackTrace(); return null; No revision No revision 1.7.2.1 +47 -3 jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java Index: URLUtil.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v retrieving revision 1.7 retrieving revision 1.7.2.1 diff -u -r1.7 -r1.7.2.1 --- URLUtil.java 2000/05/01 23:07:48 1.7 +++ URLUtil.java 2001/04/07 01:07:19 1.7.2.1 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7 2000/05/01 23:07:48 costin Exp $ - * $Revision: 1.7 $ - * $Date: 2000/05/01 23:07:48 $ + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7.2.1 2001/04/07 01:07:19 marcsaeg Exp $ + * $Revision: 1.7.2.1 $ + * $Date: 2001/04/07 01:07:19 $ * * ==================================================================== * @@ -65,7 +65,10 @@ package org.apache.tomcat.util; import java.net.URL; +import java.net.URLConnection; import java.io.File; +import java.io.FileNotFoundException; +import java.io.InputStream; import java.net.MalformedURLException; import java.io.IOException; @@ -76,6 +79,9 @@ public class URLUtil { + private static boolean fileURLBug = false; + private static boolean fileURLBugChecked = false; + public static URL resolve(String s) throws MalformedURLException { @@ -183,4 +189,42 @@ return null; } + /* + * There was a bug in versions of Suns Java runtime + * in versions prior to 1.3.0 for file: URLs. In those version + * URL encodings (%HH) were not decoded, in 1.3.0 and later + * they are. For example, in 1.2.2, the URL file:%2e would try + * try to open a file called %2e. In 1.3.0 and later it would + * try to open the current directory (i.e. .). + * + * This extra URL decoding for file: URLs can open severe security + * holes because it causes URLs to be decoded twice. For example, + * a request URI containing sequences of /%252e%252e would get + * interpreted as sequences of /.. and could escape the web application. + * + * The only way to determine if the current VM suffers from this bug + * of not is to execute a URLConnection.getInputStream() on a file + * URL + * + */ + public static synchronized boolean hasFileURLBug() + { + if(!fileURLBugChecked){ + fileURLBugChecked = true; + fileURLBug = false; + try{ + System.out.println("URLUtil.hasFileURLBug: user.dir = " + System.getProperty("user.dir")); + URL url = new URL("file:%2e"); + URLConnection con = url.openConnection(); + InputStream is = con.getInputStream(); + }catch(MalformedURLException e){ + }catch(FileNotFoundException e){ + fileURLBug = true; + }catch(IOException e){ + } + } + + System.out.println("URLUtil.hasFileURLBug: " + fileURLBug); + return fileURLBug; + } }